Remove Burn Authenticode

Fixes https://github.com/wixtoolset/issues/issues/6301

16 files changed, 12 insertions, 562 deletions

diff --git a/src/engine/cache.cpp b/src/engine/cache.cpp
index 315281bc..92a79eb9 100644
--- a/src/engine/cache.cpp
+++ b/src/engine/cache.cpp
@@ -94,15 +94,6 @@ static HRESULT VerifyHash(
     __in_z LPCWSTR wzUnverifiedPayloadPath,
     __in HANDLE hFile
     );
-static HRESULT VerifyPayloadWithCatalog(
-    __in BURN_PAYLOAD* pPayload,
-    __in_z LPCWSTR wzUnverifiedPayloadPath,
-    __in HANDLE hFile
-    );
-static HRESULT VerifyPayloadAgainstChain(
-    __in BURN_PAYLOAD* pPayload,
-    __in PCCERT_CHAIN_CONTEXT pChainContext
-    );
 
 
 extern "C" HRESULT CacheInitialize(
@@ -189,7 +180,7 @@ LExit:
 }
 
 extern "C" HRESULT CacheEnsureWorkingFolder(
-    __in_z LPCWSTR wzBundleId,
+    __in_z_opt LPCWSTR wzBundleId,
     __deref_out_z_opt LPWSTR* psczWorkingFolder
     )
 {
@@ -964,56 +955,6 @@ LExit:
     return hr;
 }
 
-extern "C" HRESULT CacheVerifyPayloadSignature(
-    __in BURN_PAYLOAD* pPayload,
-    __in_z LPCWSTR wzUnverifiedPayloadPath,
-    __in HANDLE hFile
-    )
-{
-    HRESULT hr = S_OK;
-    LONG er = ERROR_SUCCESS;
-
-    GUID guidAuthenticode = WINTRUST_ACTION_GENERIC_VERIFY_V2;
-    WINTRUST_FILE_INFO wfi = { };
-    WINTRUST_DATA wtd = { };
-    CRYPT_PROVIDER_DATA* pProviderData = NULL;
-    CRYPT_PROVIDER_SGNR* pSigner = NULL;
-
-    // Verify the payload assuming online.
-    wfi.cbStruct = sizeof(wfi);
-    wfi.pcwszFilePath = wzUnverifiedPayloadPath;
-    wfi.hFile = hFile;
-
-    wtd.cbStruct = sizeof(wtd);
-    wtd.dwUnionChoice = WTD_CHOICE_FILE;
-    wtd.pFile = &wfi;
-    wtd.dwStateAction = WTD_STATEACTION_VERIFY;
-    wtd.dwProvFlags = WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
-    wtd.dwUIChoice = WTD_UI_NONE;
-
-    er = ::WinVerifyTrust(static_cast<HWND>(INVALID_HANDLE_VALUE), &guidAuthenticode, &wtd);
-    if (er)
-    {
-        // Verify the payload assuming offline.
-        wtd.dwProvFlags |= WTD_CACHE_ONLY_URL_RETRIEVAL;
-
-        er = ::WinVerifyTrust(static_cast<HWND>(INVALID_HANDLE_VALUE), &guidAuthenticode, &wtd);
-        ExitOnWin32Error(er, hr, "Failed authenticode verification of payload: %ls", wzUnverifiedPayloadPath);
-    }
-
-    pProviderData = WTHelperProvDataFromStateData(wtd.hWVTStateData);
-    ExitOnNullWithLastError(pProviderData, hr, "Failed to get provider state from authenticode certificate.");
-
-    pSigner = WTHelperGetProvSignerFromChain(pProviderData, 0, FALSE, 0);
-    ExitOnNullWithLastError(pSigner, hr, "Failed to get signer chain from authenticode certificate.");
-
-    hr = VerifyPayloadAgainstChain(pPayload, pSigner->pChainContext);
-    ExitOnFailure(hr, "Failed to verify expected payload against actual certificate chain.");
-
-LExit:
-    return hr;
-}
-
 extern "C" void CacheCleanup(
     __in BOOL fPerMachine,
     __in_z LPCWSTR wzBundleId
@@ -1098,7 +1039,7 @@ extern "C" void CacheUninitialize()
 // Internal functions.
 
 static HRESULT CalculateWorkingFolder(
-    __in_z LPCWSTR /*wzBundleId*/,
+    __in_z_opt LPCWSTR /*wzBundleId*/,
     __deref_out_z LPWSTR* psczWorkingFolder
     )
 {
@@ -1387,18 +1328,7 @@ static HRESULT VerifyThenTransferPayload(
         ExitWithLastError(hr, "Failed to open payload in working path: %ls", wzUnverifiedPayloadPath);
     }
 
-    // If the payload has a certificate root public key identifier provided, verify the certificate.
-    if (pPayload->pbCertificateRootPublicKeyIdentifier)
-    {
-        hr = CacheVerifyPayloadSignature(pPayload, wzUnverifiedPayloadPath, hFile);
-        ExitOnFailure(hr, "Failed to verify payload signature: %ls", wzCachedPath);
-    }
-    else if (pPayload->pCatalog) // If catalog files are specified, attempt to verify the file with a catalog file
-    {
-        hr = VerifyPayloadWithCatalog(pPayload, wzUnverifiedPayloadPath, hFile);
-        ExitOnFailure(hr, "Failed to verify payload signature: %ls", wzCachedPath);
-    }
-    else if (pPayload->pbHash) // the payload should have a hash we can use to verify it.
+    if (pPayload->pbHash) // the payload should have a hash we can use to verify it.
     {
         hr = VerifyHash(pPayload->pbHash, pPayload->cbHash, wzUnverifiedPayloadPath, hFile);
         ExitOnFailure(hr, "Failed to verify payload hash: %ls", wzCachedPath);
@@ -1466,18 +1396,7 @@ static HRESULT VerifyFileAgainstPayload(
         ExitOnRootFailure(hr, "Failed to open payload at path: %ls", wzVerifyPath);
     }
 
-    // If the payload has a certificate root public key identifier provided, verify the certificate.
-    if (pPayload->pbCertificateRootPublicKeyIdentifier)
-    {
-        hr = CacheVerifyPayloadSignature(pPayload, wzVerifyPath, hFile);
-        ExitOnFailure(hr, "Failed to verify signature of payload: %ls", pPayload->sczKey);
-    }
-    else if (pPayload->pCatalog) // If catalog files are specified, attempt to verify the file with a catalog file
-    {
-        hr = VerifyPayloadWithCatalog(pPayload, wzVerifyPath, hFile);
-        ExitOnFailure(hr, "Failed to verify catalog signature of payload: %ls", pPayload->sczKey);
-    }
-    else if (pPayload->pbHash) // the payload should have a hash we can use to verify it.
+    if (pPayload->pbHash) // the payload should have a hash we can use to verify it.
     {
         hr = VerifyHash(pPayload->pbHash, pPayload->cbHash, wzVerifyPath, hFile);
         ExitOnFailure(hr, "Failed to verify hash of payload: %ls", pPayload->sczKey);
@@ -1517,7 +1436,7 @@ LExit:
 
 static HRESULT ResetPathPermissions(
     __in BOOL fPerMachine,
-    __in LPCWSTR wzPath
+    __in_z LPCWSTR wzPath
     )
 {
     HRESULT hr = S_OK;
@@ -1863,164 +1782,3 @@ LExit:
 
     return hr;
 }
-
-static HRESULT VerifyPayloadWithCatalog(
-    __in BURN_PAYLOAD* pPayload,
-    __in_z LPCWSTR wzUnverifiedPayloadPath,
-    __in HANDLE hFile
-    )
-{
-    HRESULT hr = S_FALSE;
-    DWORD er = ERROR_SUCCESS;
-    WINTRUST_DATA WinTrustData = { };
-    WINTRUST_CATALOG_INFO WinTrustCatalogInfo = { };
-    GUID gSubSystemDriver = WINTRUST_ACTION_GENERIC_VERIFY_V2;
-    LPWSTR sczLowerCaseFile = NULL;
-    LPWSTR pCurrent = NULL;
-    LPWSTR sczName = NULL;
-    DWORD dwHashSize = 0;
-    DWORD dwTagSize;
-    LPBYTE pbHash = NULL;
-
-    // Get lower case file name.  Older operating systems need a lower case file
-    // to match in the catalog
-    hr = StrAllocString(&sczLowerCaseFile, wzUnverifiedPayloadPath, 0);
-    ExitOnFailure(hr, "Failed to allocate memory");
-
-    // Go through each character doing the lower case of each letter
-    pCurrent = sczLowerCaseFile;
-    while ('\0' != *pCurrent)
-    {
-        *pCurrent = (WCHAR)_tolower(*pCurrent);
-        pCurrent++;
-    }
-
-    // Get file hash
-    CryptCATAdminCalcHashFromFileHandle(hFile, &dwHashSize, pbHash, 0);
-    er = ::GetLastError();
-    if (ERROR_INSUFFICIENT_BUFFER == er)
-    {
-        pbHash = (LPBYTE)MemAlloc(dwHashSize, TRUE);
-        if (!CryptCATAdminCalcHashFromFileHandle(hFile, &dwHashSize, pbHash, 0))
-        {
-            ExitWithLastError(hr, "Failed to get file hash.");
-        }
-    }
-    else
-    {
-        ExitOnWin32Error(er, hr, "Failed to get file hash.");
-    }
-
-    // Make the hash into a string.  This is the member tag for the catalog
-    dwTagSize = (dwHashSize * 2) + 1;
-    hr = StrAlloc(&sczName, dwTagSize);
-    ExitOnFailure(hr, "Failed to allocate string.");
-    hr = StrHexEncode(pbHash, dwHashSize, sczName, dwTagSize);
-    ExitOnFailure(hr, "Failed to encode file hash.");
-
-    // Set up the WinVerifyTrust structures assuming online.
-    WinTrustData.cbStruct = sizeof(WINTRUST_DATA);
-    WinTrustData.dwUIChoice = WTD_UI_NONE;
-    WinTrustData.dwUnionChoice = WTD_CHOICE_CATALOG;
-    WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
-    WinTrustData.dwProvFlags = WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
-    WinTrustData.pCatalog = &WinTrustCatalogInfo;
-
-    WinTrustCatalogInfo.cbStruct = sizeof(WINTRUST_CATALOG_INFO);
-    WinTrustCatalogInfo.pbCalculatedFileHash = pbHash;
-    WinTrustCatalogInfo.cbCalculatedFileHash = dwHashSize;
-    WinTrustCatalogInfo.hMemberFile = hFile;
-    WinTrustCatalogInfo.pcwszMemberTag = sczName;
-    WinTrustCatalogInfo.pcwszMemberFilePath = sczLowerCaseFile;
-    WinTrustCatalogInfo.pcwszCatalogFilePath = pPayload->pCatalog->sczLocalFilePath;
-
-    hr = ::WinVerifyTrust(static_cast<HWND>(INVALID_HANDLE_VALUE), &gSubSystemDriver, &WinTrustData);
-    if (hr)
-    {
-        // Set up the WinVerifyTrust structures assuming online.
-        WinTrustData.dwProvFlags |= WTD_CACHE_ONLY_URL_RETRIEVAL;
-
-        er = ::WinVerifyTrust(static_cast<HWND>(INVALID_HANDLE_VALUE), &gSubSystemDriver, &WinTrustData);
-
-        // WinVerifyTrust returns 0 for success, a few different Win32 error codes if it can't
-        // find the provider, and any other error code is provider specific, so may not
-        // be an actual Win32 error code
-        ExitOnWin32Error(er, hr, "Could not verify file %ls.", wzUnverifiedPayloadPath);
-    }
-
-    // Need to close the WinVerifyTrust action
-    WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
-    er = ::WinVerifyTrust(static_cast<HWND>(INVALID_HANDLE_VALUE), &gSubSystemDriver, &WinTrustData);
-    ExitOnWin32Error(er, hr, "Could not close verify handle.");
-
-LExit:
-    ReleaseStr(sczLowerCaseFile);
-    ReleaseStr(sczName);
-    ReleaseMem(pbHash);
-
-    return hr;
-}
-
-static HRESULT VerifyPayloadAgainstChain(
-    __in BURN_PAYLOAD* pPayload,
-    __in PCCERT_CHAIN_CONTEXT pChainContext
-    )
-{
-    HRESULT hr = S_OK;
-    PCCERT_CONTEXT pChainElementCertContext = NULL;
-
-    BYTE rgbPublicKeyIdentifier[SHA1_HASH_LEN] = { };
-    DWORD cbPublicKeyIdentifier = sizeof(rgbPublicKeyIdentifier);
-    BYTE* pbThumbprint = NULL;
-    DWORD cbThumbprint = 0;
-
-    // Walk up the chain looking for a certificate in the chain that matches our expected public key identifier
-    // and thumbprint (if a thumbprint was provided).
-    HRESULT hrChainVerification = E_NOTFOUND; // assume we won't find a match.
-    for (DWORD i = 0; i < pChainContext->rgpChain[0]->cElement; ++i)
-    {
-        pChainElementCertContext = pChainContext->rgpChain[0]->rgpElement[i]->pCertContext;
-
-        // Get the certificate's public key identifier.
-        if (!::CryptHashPublicKeyInfo(NULL, CALG_SHA1, 0, X509_ASN_ENCODING, &pChainElementCertContext->pCertInfo->SubjectPublicKeyInfo, rgbPublicKeyIdentifier, &cbPublicKeyIdentifier))
-        {
-            ExitWithLastError(hr, "Failed to get certificate public key identifier.");
-        }
-
-        // Compare the certificate's public key identifier with the payload's public key identifier. If they
-        // match, we're one step closer to the a positive result.
-        if (pPayload->cbCertificateRootPublicKeyIdentifier == cbPublicKeyIdentifier &&
-            0 == memcmp(pPayload->pbCertificateRootPublicKeyIdentifier, rgbPublicKeyIdentifier, cbPublicKeyIdentifier))
-        {
-            // If the payload specified a thumbprint for the certificate, verify it.
-            if (pPayload->pbCertificateRootThumbprint)
-            {
-                hr = CertReadProperty(pChainElementCertContext, CERT_SHA1_HASH_PROP_ID, &pbThumbprint, &cbThumbprint);
-                ExitOnFailure(hr, "Failed to read certificate thumbprint.");
-
-                if (pPayload->cbCertificateRootThumbprint == cbThumbprint &&
-                    0 == memcmp(pPayload->pbCertificateRootThumbprint, pbThumbprint, cbThumbprint))
-                {
-                    // If we got here, we found that our payload public key identifier and thumbprint
-                    // matched an element in the certficate chain.
-                    hrChainVerification = S_OK;
-                    break;
-                }
-
-                ReleaseNullMem(pbThumbprint);
-            }
-            else // no thumbprint match necessary so we're good to go.
-            {
-                hrChainVerification = S_OK;
-                break;
-            }
-        }
-    }
-    hr = hrChainVerification;
-    ExitOnFailure(hr, "Failed to find expected public key in certificate chain.");
-
-LExit:
-    ReleaseMem(pbThumbprint);
-
-    return hr;
-}
diff --git a/src/engine/cache.h b/src/engine/cache.h
index 95e6cb90..f8ad2a90 100644
--- a/src/engine/cache.h
+++ b/src/engine/cache.h
@@ -16,7 +16,7 @@ HRESULT CacheInitialize(
     __in_z_opt LPCWSTR wzSourceProcessPath
     );
 HRESULT CacheEnsureWorkingFolder(
-    __in LPCWSTR wzBundleId,
+    __in_z LPCWSTR wzBundleId,
     __deref_out_z_opt LPWSTR* psczWorkingFolder
     );
 HRESULT CacheCalculateBundleWorkingPath(
@@ -134,11 +134,6 @@ HRESULT CacheRemovePackage(
     __in_z LPCWSTR wzPackageId,
     __in_z LPCWSTR wzCacheId
     );
-HRESULT CacheVerifyPayloadSignature(
-    __in BURN_PAYLOAD* pPayload,
-    __in_z LPCWSTR wzUnverifiedPayloadPath,
-    __in HANDLE hFile
-    );
 void CacheCleanup(
     __in BOOL fPerMachine,
     __in_z LPCWSTR wzBundleId
diff --git a/src/engine/catalog.cpp b/src/engine/catalog.cpp
deleted file mode 100644
index da086545..00000000
--- a/src/engine/catalog.cpp
+++ /dev/null
@@ -1,180 +0,0 @@
-// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
-
-#include "precomp.h"
-
-
-// function definitions
-
-extern "C" HRESULT CatalogsParseFromXml(
-    __in BURN_CATALOGS* pCatalogs,
-    __in IXMLDOMNode* pixnBundle
-    )
-{
-    HRESULT hr = S_OK;
-    IXMLDOMNodeList* pixnNodes = NULL;
-    IXMLDOMNode* pixnNode = NULL;
-    DWORD cNodes = 0;
-    LPWSTR scz = NULL;
-
-    // select catalog nodes
-    hr = XmlSelectNodes(pixnBundle, L"Catalog", &pixnNodes);
-    ExitOnFailure(hr, "Failed to select catalog nodes.");
-
-    // get catalog node count
-    hr = pixnNodes->get_length((long*)&cNodes);
-    ExitOnFailure(hr, "Failed to get payload node count.");
-    if (!cNodes)
-    {
-        ExitFunction();
-    }
-
-    // allocate memory for catalogs
-    pCatalogs->rgCatalogs = (BURN_CATALOG*)MemAlloc(sizeof(BURN_CATALOG) * cNodes, TRUE);
-    ExitOnNull(pCatalogs->rgCatalogs, hr, E_OUTOFMEMORY, "Failed to allocate memory for payload structs.");
-
-    pCatalogs->cCatalogs = cNodes;
-
-    // parse catalog elements
-    for (DWORD i = 0; i < cNodes; ++i)
-    {
-        BURN_CATALOG* pCatalog = &pCatalogs->rgCatalogs[i];
-        pCatalog->hFile = INVALID_HANDLE_VALUE;
-
-        hr = XmlNextElement(pixnNodes, &pixnNode, NULL);
-        ExitOnFailure(hr, "Failed to get next node.");
-
-        // @Id
-        hr = XmlGetAttributeEx(pixnNode, L"Id", &pCatalog->sczKey);
-        ExitOnFailure(hr, "Failed to get @Id.");
-
-        // @Payload
-        hr = XmlGetAttributeEx(pixnNode, L"Payload", &pCatalog->sczPayload);
-        ExitOnFailure(hr, "Failed to get @Payload.");
-
-        // prepare next iteration
-        ReleaseNullObject(pixnNode);
-    }
-
-LExit:
-    ReleaseObject(pixnNodes);
-    ReleaseObject(pixnNode);
-    ReleaseStr(scz);
-
-    return hr;
-}
-
-extern "C" HRESULT CatalogFindById(
-    __in BURN_CATALOGS* pCatalogs,
-    __in_z LPCWSTR wzId,
-    __out BURN_CATALOG** ppCatalog
-    )
-{
-    HRESULT hr = S_OK;
-    BURN_CATALOG* pCatalog = NULL;
-
-    for (DWORD i = 0; i < pCatalogs->cCatalogs; ++i)
-    {
-        pCatalog = &pCatalogs->rgCatalogs[i];
-
-        if (CSTR_EQUAL == ::CompareStringW(LOCALE_INVARIANT, 0, pCatalog->sczKey, -1, wzId, -1))
-        {
-            *ppCatalog = pCatalog;
-            ExitFunction1(hr = S_OK);
-        }
-    }
-
-    hr = E_NOTFOUND;
-
-LExit:
-    return hr;
-}
-
-extern "C" HRESULT CatalogLoadFromPayload(
-    __in BURN_CATALOGS* pCatalogs,
-    __in BURN_PAYLOADS* pPayloads
-    )
-{
-    HRESULT hr = S_OK;
-    BURN_CATALOG* pCatalog = NULL;
-    BURN_PAYLOAD* pPayload = NULL;
-
-    // go through each catalog file
-    for (DWORD i = 0; i < pCatalogs->cCatalogs; i++)
-    {
-        pCatalog = &pCatalogs->rgCatalogs[i];
-
-        // get the payload for this catalog file
-        hr = PayloadFindById(pPayloads, pCatalog->sczPayload, &pPayload);
-        ExitOnFailure(hr, "Failed to find payload for catalog file.");
-
-        // Get the local file name
-        hr = StrAllocString(&pCatalog->sczLocalFilePath, pPayload->sczLocalFilePath, 0);
-        ExitOnFailure(hr, "Failed to get catalog local file path");
-
-        // Get a handle to the file
-        pCatalog->hFile = ::CreateFileW(pCatalog->sczLocalFilePath, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
-        if (INVALID_HANDLE_VALUE == pCatalog->hFile)
-        {
-            ExitWithLastError(hr, "Failed to open catalog in working path: %ls", pCatalog->sczLocalFilePath);
-        }
-
-        // Verify the catalog file
-        hr = CacheVerifyPayloadSignature(pPayload, pCatalog->sczLocalFilePath, pCatalog->hFile);
-        ExitOnFailure(hr, "Failed to verify catalog signature: %ls", pCatalog->sczLocalFilePath);
-    }
-
-LExit:
-    return hr;
-}
-
-extern "C" HRESULT CatalogElevatedUpdateCatalogFile(
-    __in BURN_CATALOGS* pCatalogs,
-    __in_z LPCWSTR wzId,
-    __in_z LPCWSTR wzPath
-    )
-{
-    HRESULT hr = S_OK;
-    BURN_CATALOG* pCatalog = NULL;
-
-    // Find the catalog
-    hr = CatalogFindById(pCatalogs, wzId, &pCatalog);
-    ExitOnFailure(hr, "Failed to locate catalog information.");
-
-    if (NULL == pCatalog->sczLocalFilePath)
-    {
-        hr = StrAllocString(&pCatalog->sczLocalFilePath, wzPath, 0);
-        ExitOnFailure(hr, "Failed to allocated catalog path.");
-
-        // Get a handle to the file
-        pCatalog->hFile = ::CreateFileW(pCatalog->sczLocalFilePath, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
-        if (INVALID_HANDLE_VALUE == pCatalog->hFile)
-        {
-            ExitWithLastError(hr, "Failed to open catalog in working path: %ls", pCatalog->sczLocalFilePath);
-        }
-    }
-
-LExit:
-    return hr;
-}
-
-extern "C" void CatalogUninitialize(
-    __in BURN_CATALOGS* pCatalogs
-    )
-{
-    if (pCatalogs->rgCatalogs)
-    {
-        for (DWORD i = 0; i < pCatalogs->cCatalogs; ++i)
-        {
-            BURN_CATALOG* pCatalog = &pCatalogs->rgCatalogs[i];
-
-            ReleaseHandle(pCatalog->hFile);
-            ReleaseStr(pCatalog->sczKey);
-            ReleaseStr(pCatalog->sczLocalFilePath);
-            ReleaseStr(pCatalog->sczPayload);
-        }
-        MemFree(pCatalogs->rgCatalogs);
-    }
-
-    // clear struct
-    memset(pCatalogs, 0, sizeof(BURN_CATALOGS));
-}
diff --git a/src/engine/catalog.h b/src/engine/catalog.h
deleted file mode 100644
index 3a87d0d2..00000000
--- a/src/engine/catalog.h
+++ /dev/null
@@ -1,56 +0,0 @@
-#pragma once
-// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
-
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-// structs
-
-typedef struct _BURN_CATALOG
-{
-    LPWSTR sczKey;
-    LPWSTR sczPayload;
-
-    // mutable members
-    LPWSTR sczLocalFilePath; // location of extracted or downloaded copy
-    HANDLE hFile;
-} BURN_CATALOG;
-
-typedef struct _BURN_CATALOGS
-{
-    BURN_CATALOG* rgCatalogs;
-    DWORD cCatalogs;
-} BURN_CATALOGS;
-
-typedef struct _BURN_PAYLOADS BURN_PAYLOADS;
-
-
-// functions
-
-HRESULT CatalogsParseFromXml(
-    __in BURN_CATALOGS* pCatalogs,
-    __in IXMLDOMNode* pixnBundle
-    );
-HRESULT CatalogFindById(
-    __in BURN_CATALOGS* pCatalogs,
-    __in_z LPCWSTR wzId,
-    __out BURN_CATALOG** ppCatalog
-    );
-HRESULT CatalogLoadFromPayload(
-    __in BURN_CATALOGS* pCatalogs,
-    __in BURN_PAYLOADS* pPayloads
-    );
-HRESULT CatalogElevatedUpdateCatalogFile(
-    __in BURN_CATALOGS* pCatalogs,
-    __in_z LPCWSTR wzId,
-    __in_z LPCWSTR wzPath
-    );
-void CatalogUninitialize(
-    __in BURN_CATALOGS* pCatalogs
-    );
-
-#if defined(__cplusplus)
-}
-#endif
diff --git a/src/engine/core.cpp b/src/engine/core.cpp
index 5b2454dc..0f5ea08a 100644
--- a/src/engine/core.cpp
+++ b/src/engine/core.cpp
@@ -151,10 +151,6 @@ extern "C" HRESULT CoreInitialize(
         hr = PayloadExtractFromContainer(&pEngineState->userExperience.payloads, NULL, &containerContext, pEngineState->userExperience.sczTempDirectory);
         ExitOnFailure(hr, "Failed to extract bootstrapper application payloads.");
 
-        // Load the catalog files as soon as they are extracted.
-        hr = CatalogLoadFromPayload(&pEngineState->catalogs, &pEngineState->userExperience.payloads);
-        ExitOnFailure(hr, "Failed to load catalog files.");
-
         hr = PathConcat(pEngineState->userExperience.sczTempDirectory, L"BootstrapperApplicationData.xml", &pEngineState->command.wzBootstrapperApplicationDataPath);
         ExitOnFailure(hr, "Failed to get BootstrapperApplicationDataPath.");
 
diff --git a/src/engine/core.h b/src/engine/core.h
index 544c1786..0161eaa0 100644
--- a/src/engine/core.h
+++ b/src/engine/core.h
@@ -98,7 +98,6 @@ typedef struct _BURN_ENGINE_STATE
     BURN_USER_EXPERIENCE userExperience;
     BURN_REGISTRATION registration;
     BURN_CONTAINERS containers;
-    BURN_CATALOGS catalogs;
     BURN_PAYLOADS payloads;
     BURN_PACKAGES packages;
     BURN_UPDATE update;
diff --git a/src/engine/engine.cpp b/src/engine/engine.cpp
index 3dbfb365..9eee7fde 100644
--- a/src/engine/engine.cpp
+++ b/src/engine/engine.cpp
@@ -400,7 +400,6 @@ static void UninitializeEngineState(
     RegistrationUninitialize(&pEngineState->registration);
     PayloadsUninitialize(&pEngineState->payloads);
     PackagesUninitialize(&pEngineState->packages);
-    CatalogUninitialize(&pEngineState->catalogs);
     SectionUninitialize(&pEngineState->section);
     ContainersUninitialize(&pEngineState->containers);
 
diff --git a/src/engine/engine.vcxproj b/src/engine/engine.vcxproj
index 3db6802b..cb179a23 100644
--- a/src/engine/engine.vcxproj
+++ b/src/engine/engine.vcxproj
@@ -1,9 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
-
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="..\..\packages\WixToolset.DUtil.4.0.59\build\WixToolset.DUtil.props" Condition="Exists('..\..\packages\WixToolset.DUtil.4.0.59\build\WixToolset.DUtil.props')" />
-
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -30,7 +28,6 @@
       <Platform>ARM64</Platform>
     </ProjectConfiguration>
   </ItemGroup>
-
   <PropertyGroup Label="Globals">
     <ProjectGuid>{8119537D-E1D9-6591-D51A-49768A2F9C37}</ProjectGuid>
     <ConfigurationType>StaticLibrary</ConfigurationType>
@@ -39,22 +36,17 @@
     <CharacterSet>Unicode</CharacterSet>
     <Description>Native component of WixToolset.Burn</Description>
   </PropertyGroup>
-
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-
   <ImportGroup Label="ExtensionSettings">
   </ImportGroup>
-
   <ImportGroup Label="Shared">
   </ImportGroup>
-
   <ItemGroup>
     <ClCompile Include="apply.cpp" />
     <ClCompile Include="approvedexe.cpp" />
     <ClCompile Include="bitsengine.cpp" />
     <ClCompile Include="burnextension.cpp" />
-    <ClCompile Include="catalog.cpp" />
     <ClCompile Include="detect.cpp" />
     <ClCompile Include="embedded.cpp" />
     <ClCompile Include="EngineForApplication.cpp" />
@@ -95,7 +87,6 @@
     <ClCompile Include="variable.cpp" />
     <ClCompile Include="variant.cpp" />
   </ItemGroup>
-
   <ItemGroup>
     <ClInclude Include="apply.h" />
     <ClInclude Include="approvedexe.h" />
@@ -107,7 +98,6 @@
     <ClInclude Include="burnextension.h" />
     <ClInclude Include="cabextract.h" />
     <ClInclude Include="cache.h" />
-    <ClInclude Include="catalog.h" />
     <ClInclude Include="condition.h" />
     <ClInclude Include="container.h" />
     <ClInclude Include="core.h" />
@@ -145,11 +135,9 @@
     <ClInclude Include="variable.h" />
     <ClInclude Include="variant.h" />
   </ItemGroup>
-
   <ItemGroup>
     <None Include="packages.config" />
   </ItemGroup>
-  
   <ItemGroup>
     <CustomBuild Include="engine.mc">
       <Message>Compiling message file...</Message>
@@ -158,10 +146,7 @@ rc.exe -fo "$(OutDir)engine.res" "$(IntDir)engine.messages.rc"</Command>
       <Outputs>$(IntDir)engine.messages.h;$(IntDir)engine.messages.rc;$(OutDir)engine.res</Outputs>
     </CustomBuild>
   </ItemGroup>
-
-  <Target Name="SetWixVersion"
-          DependsOnTargets="GetBuildVersion"
-          BeforeTargets="ClCompile">
+  <Target Name="SetWixVersion" DependsOnTargets="GetBuildVersion" BeforeTargets="ClCompile">
     <PropertyGroup>
       <rmj>$(MajorMinorVersion.Split(`.`)[0])</rmj>
       <rmm>$(MajorMinorVersion.Split(`.`)[1])</rmm>
@@ -176,7 +161,6 @@ rc.exe -fo "$(OutDir)engine.res" "$(IntDir)engine.messages.rc"</Command>
       </ClCompile>
     </ItemGroup>
   </Target>
-
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <Import Project="..\..\packages\Nerdbank.GitVersioning.3.3.37\build\Nerdbank.GitVersioning.targets" Condition="Exists('..\..\packages\Nerdbank.GitVersioning.3.3.37\build\Nerdbank.GitVersioning.targets')" />
   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
diff --git a/src/engine/manifest.cpp b/src/engine/manifest.cpp
index fe8c6cad..fa454348 100644
--- a/src/engine/manifest.cpp
+++ b/src/engine/manifest.cpp
@@ -132,10 +132,6 @@ static HRESULT ParseFromXml(
     hr = SearchesParseFromXml(&pEngineState->searches, &pEngineState->extensions, pixeBundle);
     ExitOnFailure(hr, "Failed to parse searches.");
 
-    // parse catalog files
-    hr = CatalogsParseFromXml(&pEngineState->catalogs, pixeBundle);
-    ExitOnFailure(hr, "Failed to parse catalog files.");
-
     // parse registration
     hr = RegistrationParseFromXml(&pEngineState->registration, pixeBundle);
     ExitOnFailure(hr, "Failed to parse registration.");
@@ -149,7 +145,7 @@ static HRESULT ParseFromXml(
     ExitOnFailure(hr, "Failed to parse containers.");
 
     // parse payloads
-    hr = PayloadsParseFromXml(&pEngineState->payloads, &pEngineState->containers, &pEngineState->catalogs, pixeBundle);
+    hr = PayloadsParseFromXml(&pEngineState->payloads, &pEngineState->containers, pixeBundle);
     ExitOnFailure(hr, "Failed to parse payloads.");
 
     // parse packages
diff --git a/src/engine/payload.cpp b/src/engine/payload.cpp
index 6833288f..67eebe10 100644
--- a/src/engine/payload.cpp
+++ b/src/engine/payload.cpp
@@ -18,7 +18,6 @@ static HRESULT FindEmbeddedBySourcePath(
 extern "C" HRESULT PayloadsParseFromXml(
     __in BURN_PAYLOADS* pPayloads,
     __in_opt BURN_CONTAINERS* pContainers,
-    __in_opt BURN_CATALOGS* pCatalogs,
     __in IXMLDOMNode* pixnBundle
     )
 {
@@ -130,26 +129,6 @@ extern "C" HRESULT PayloadsParseFromXml(
             ExitOnFailure(hr, "Failed to parse @FileSize.");
         }
 
-        // @CertificateAuthorityKeyIdentifier
-        hr = XmlGetAttributeEx(pixnNode, L"CertificateRootPublicKeyIdentifier", &scz);
-        if (E_NOTFOUND != hr)
-        {
-            ExitOnFailure(hr, "Failed to get @CertificateRootPublicKeyIdentifier.");
-
-            hr = StrAllocHexDecode(scz, &pPayload->pbCertificateRootPublicKeyIdentifier, &pPayload->cbCertificateRootPublicKeyIdentifier);
-            ExitOnFailure(hr, "Failed to hex decode @CertificateRootPublicKeyIdentifier.");
-        }
-
-        // @CertificateThumbprint
-        hr = XmlGetAttributeEx(pixnNode, L"CertificateRootThumbprint", &scz);
-        if (E_NOTFOUND != hr)
-        {
-            ExitOnFailure(hr, "Failed to get @CertificateRootThumbprint.");
-
-            hr = StrAllocHexDecode(scz, &pPayload->pbCertificateRootThumbprint, &pPayload->cbCertificateRootThumbprint);
-            ExitOnFailure(hr, "Failed to hex decode @CertificateRootThumbprint.");
-        }
-
         // @Hash
         hr = XmlGetAttributeEx(pixnNode, L"Hash", &scz);
         ExitOnFailure(hr, "Failed to get @Hash.");
@@ -157,16 +136,6 @@ extern "C" HRESULT PayloadsParseFromXml(
         hr = StrAllocHexDecode(scz, &pPayload->pbHash, &pPayload->cbHash);
         ExitOnFailure(hr, "Failed to hex decode the Payload/@Hash.");
 
-        // @Catalog
-        hr = XmlGetAttributeEx(pixnNode, L"Catalog", &scz);
-        if (E_NOTFOUND != hr)
-        {
-            ExitOnFailure(hr, "Failed to get @Catalog.");
-
-            hr = CatalogFindById(pCatalogs, scz, &pPayload->pCatalog);
-            ExitOnFailure(hr, "Failed to find catalog.");
-        }
-
         // prepare next iteration
         ReleaseNullObject(pixnNode);
     }
@@ -194,8 +163,6 @@ extern "C" void PayloadsUninitialize(
             ReleaseStr(pPayload->sczKey);
             ReleaseStr(pPayload->sczFilePath);
             ReleaseMem(pPayload->pbHash);
-            ReleaseMem(pPayload->pbCertificateRootThumbprint);
-            ReleaseMem(pPayload->pbCertificateRootPublicKeyIdentifier);
             ReleaseStr(pPayload->sczSourcePath);
             ReleaseStr(pPayload->sczLocalFilePath);
             ReleaseStr(pPayload->downloadSource.sczUrl);
diff --git a/src/engine/payload.h b/src/engine/payload.h
index 0c7b68e4..e8639d64 100644
--- a/src/engine/payload.h
+++ b/src/engine/payload.h
@@ -35,11 +35,6 @@ typedef struct _BURN_PAYLOAD
     DWORD64 qwFileSize;
     LPWSTR sczFilePath; // file path relative to the execute location
 
-    BURN_CATALOG *pCatalog; // used to verify this payload
-    BYTE* pbCertificateRootPublicKeyIdentifier;
-    DWORD cbCertificateRootPublicKeyIdentifier;
-    BYTE* pbCertificateRootThumbprint;
-    DWORD cbCertificateRootThumbprint;
     BYTE* pbHash;
     DWORD cbHash;
 
@@ -64,7 +59,6 @@ typedef struct _BURN_PAYLOADS
 HRESULT PayloadsParseFromXml(
     __in BURN_PAYLOADS* pPayloads,
     __in_opt BURN_CONTAINERS* pContainers,
-    __in_opt BURN_CATALOGS* pCatalogs,
     __in IXMLDOMNode* pixnBundle
     );
 void PayloadsUninitialize(
diff --git a/src/engine/precomp.h b/src/engine/precomp.h
index c0019476..53fa949a 100644
--- a/src/engine/precomp.h
+++ b/src/engine/precomp.h
@@ -68,7 +68,6 @@
 #include "section.h"
 #include "approvedexe.h"
 #include "container.h"
-#include "catalog.h"
 #include "payload.h"
 #include "cabextract.h"
 #include "burnextension.h"
diff --git a/src/engine/userexperience.cpp b/src/engine/userexperience.cpp
index ce1662b8..8e782e71 100644
--- a/src/engine/userexperience.cpp
+++ b/src/engine/userexperience.cpp
@@ -55,7 +55,7 @@ extern "C" HRESULT UserExperienceParseFromXml(
     }
 
     // parse payloads
-    hr = PayloadsParseFromXml(&pUserExperience->payloads, NULL, NULL, pixnUserExperienceNode);
+    hr = PayloadsParseFromXml(&pUserExperience->payloads, NULL, pixnUserExperienceNode);
     ExitOnFailure(hr, "Failed to parse user experience payloads.");
 
     // make sure we have at least one payload
diff --git a/src/stub/stub.vcxproj b/src/stub/stub.vcxproj
index a8fbdfeb..da19f3c6 100644
--- a/src/stub/stub.vcxproj
+++ b/src/stub/stub.vcxproj
@@ -63,14 +63,14 @@
 
   <PropertyGroup>
     <ProjectAdditionalIncludeDirectories>$(ProjectDir)..\engine\inc</ProjectAdditionalIncludeDirectories>
-    <ProjectAdditionalLinkLibraries>cabinet.lib;crypt32.lib;msi.lib;rpcrt4.lib;shlwapi.lib;wininet.lib;wintrust.lib;wuguid.lib;engine.lib;engine.res</ProjectAdditionalLinkLibraries>
+    <ProjectAdditionalLinkLibraries>cabinet.lib;crypt32.lib;msi.lib;rpcrt4.lib;shlwapi.lib;wininet.lib;wuguid.lib;engine.lib;engine.res</ProjectAdditionalLinkLibraries>
   </PropertyGroup>
 
   <ItemDefinitionGroup>
     <Link>
       <SwapRunFromCD>true</SwapRunFromCD>
       <SwapRunFromNET>true</SwapRunFromNET>
-      <DelayLoadDLLs>cabinet.dll;crypt32.dll;msi.dll;shlwapi.dll;version.dll;wininet.dll;wintrust.dll</DelayLoadDLLs>
+      <DelayLoadDLLs>cabinet.dll;crypt32.dll;msi.dll;shlwapi.dll;version.dll;wininet.dll</DelayLoadDLLs>
     </Link>
   </ItemDefinitionGroup>
 
diff --git a/src/test/BurnUnitTest/BurnUnitTest.vcxproj b/src/test/BurnUnitTest/BurnUnitTest.vcxproj
index 1f4a7111..6ac21f9c 100644
--- a/src/test/BurnUnitTest/BurnUnitTest.vcxproj
+++ b/src/test/BurnUnitTest/BurnUnitTest.vcxproj
@@ -36,7 +36,7 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <PropertyGroup>
     <ProjectAdditionalIncludeDirectories>..\..\engine;..\..\WixToolset.BootstrapperCore.Native\inc</ProjectAdditionalIncludeDirectories>
-    <ProjectAdditionalLinkLibraries>cabinet.lib;crypt32.lib;msi.lib;rpcrt4.lib;shlwapi.lib;wininet.lib;wintrust.lib</ProjectAdditionalLinkLibraries>
+    <ProjectAdditionalLinkLibraries>cabinet.lib;crypt32.lib;msi.lib;rpcrt4.lib;shlwapi.lib;wininet.lib</ProjectAdditionalLinkLibraries>
   </PropertyGroup>
   <ItemGroup>
     <ClCompile Include="AssemblyInfo.cpp" />
diff --git a/src/test/BurnUnitTest/precomp.h b/src/test/BurnUnitTest/precomp.h
index ddbdf9c6..a5db1555 100644
--- a/src/test/BurnUnitTest/precomp.h
+++ b/src/test/BurnUnitTest/precomp.h
@@ -43,7 +43,6 @@
 #include "section.h"
 #include "approvedexe.h"
 #include "container.h"
-#include "catalog.h"
 #include "payload.h"
 #include "cabextract.h"
 #include "burnextension.h"